* [PATCH 0/2] allow disabling "security.restorecon_last" extended attribute.
@ 2016-08-24 12:52 Richard Haines
2016-08-26 16:56 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Richard Haines @ 2016-08-24 12:52 UTC (permalink / raw)
To: selinux
Allow the "security.restorecon_last" extended attribute to be ignored.
Setting this flag/option will not check or update any directory SHA1 digests.
Use this option to effectively disable usage of the security.restorecon_last
extended attribute. Note that setting this flag will override the
SELINUX_RESTORECON_IGNORE_DIGEST flag.
Richard Haines (2):
libselinux: Ignore restorecon_last in selinux_restorecon(3)
policycoreutils: setfiles - Add option to ignore restorecon_last
libselinux/include/selinux/restorecon.h | 4 ++++
libselinux/man/man3/selinux_restorecon.3 | 20 +++++++++++++++++---
libselinux/src/selinux_restorecon.c | 9 ++++++++-
libselinux/utils/selinux_restorecon.c | 9 +++++++--
policycoreutils/setfiles/restore.c | 5 +++--
policycoreutils/setfiles/restore.h | 2 ++
policycoreutils/setfiles/restorecon.8 | 14 ++++++++++++--
policycoreutils/setfiles/setfiles.8 | 12 +++++++++++-
policycoreutils/setfiles/setfiles.c | 19 ++++++++++++-------
9 files changed, 76 insertions(+), 18 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 0/2] allow disabling "security.restorecon_last" extended attribute.
2016-08-24 12:52 [PATCH 0/2] allow disabling "security.restorecon_last" extended attribute Richard Haines
@ 2016-08-26 16:56 ` Stephen Smalley
2016-09-22 17:09 ` Richard Haines
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2016-08-26 16:56 UTC (permalink / raw)
To: Richard Haines, selinux
On 08/24/2016 08:52 AM, Richard Haines wrote:
> Allow the "security.restorecon_last" extended attribute to be ignored.
> Setting this flag/option will not check or update any directory SHA1 digests.
> Use this option to effectively disable usage of the security.restorecon_last
> extended attribute. Note that setting this flag will override the
> SELINUX_RESTORECON_IGNORE_DIGEST flag.
Seems confusing/overlapping with SELINUX_RESTORECON_IGNORE_DIGEST.
IGNORE_DIGEST presently disables using the result of the getxattr, but
it might as well just skip calling getxattr altogether. So then the
only real difference is whether we set the digest afterward. So maybe a
SELINUX_RESTORECON_DONTSET_DIGEST option would make sense. But what's
the use case?
>
> Richard Haines (2):
> libselinux: Ignore restorecon_last in selinux_restorecon(3)
> policycoreutils: setfiles - Add option to ignore restorecon_last
>
> libselinux/include/selinux/restorecon.h | 4 ++++
> libselinux/man/man3/selinux_restorecon.3 | 20 +++++++++++++++++---
> libselinux/src/selinux_restorecon.c | 9 ++++++++-
> libselinux/utils/selinux_restorecon.c | 9 +++++++--
> policycoreutils/setfiles/restore.c | 5 +++--
> policycoreutils/setfiles/restore.h | 2 ++
> policycoreutils/setfiles/restorecon.8 | 14 ++++++++++++--
> policycoreutils/setfiles/setfiles.8 | 12 +++++++++++-
> policycoreutils/setfiles/setfiles.c | 19 ++++++++++++-------
> 9 files changed, 76 insertions(+), 18 deletions(-)
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 0/2] allow disabling "security.restorecon_last" extended attribute.
2016-08-26 16:56 ` Stephen Smalley
@ 2016-09-22 17:09 ` Richard Haines
0 siblings, 0 replies; 3+ messages in thread
From: Richard Haines @ 2016-09-22 17:09 UTC (permalink / raw)
To: Stephen Smalley, selinux
On Friday, 26 August 2016, 17:55, Stephen Smalley <sds@tycho.nsa.gov> wrote:
On 08/24/2016 08:52 AM, Richard Haines wrote:
> Allow the "security.restorecon_last" extended attribute to be ignored.
> Setting this flag/option will not check or update any directory SHA1 digests.
> Use this option to effectively disable usage of the security.restorecon_last
> extended attribute. Note that setting this flag will override the
> SELINUX_RESTORECON_IGNORE_DIGEST flag.
Seems confusing/overlapping with SELINUX_RESTORECON_IGNORE_DIGEST.
IGNORE_DIGEST presently disables using the result of the getxattr, but
it might as well just skip calling getxattr altogether. So then the
only real difference is whether we set the digest afterward. So maybe a
SELINUX_RESTORECON_DONTSET_DIGEST option would make sense. But what's
the use case?
I'll abandon this patch set as the correct way to disable the
"security.restorecon_last" extended attribute is to call
selabel_open() with SELABEL_OPT_DIGEST set to NULL.
I'll therefore submit another patch for setfile/restorecon with this
option. Disabling the use of "security.restorecon_last" would be
useful for those who do not want this feature.
>
> Richard Haines (2):
> libselinux: Ignore restorecon_last in selinux_restorecon(3)
> policycoreutils: setfiles - Add option to ignore restorecon_last
>
> libselinux/include/selinux/restorecon.h | 4 ++++
> libselinux/man/man3/selinux_restorecon.3 | 20 +++++++++++++++++---
> libselinux/src/selinux_restorecon.c | 9 ++++++++-
> libselinux/utils/selinux_restorecon.c | 9 +++++++--
> policycoreutils/setfiles/restore.c | 5 +++--
> policycoreutils/setfiles/restore.h | 2 ++
> policycoreutils/setfiles/restorecon.8 | 14 ++++++++++++--
> policycoreutils/setfiles/setfiles.8 | 12 +++++++++++-
> policycoreutils/setfiles/setfiles.c | 19 ++++++++++++-------
> 9 files changed, 76 insertions(+), 18 deletions(-)
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-09-22 17:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-24 12:52 [PATCH 0/2] allow disabling "security.restorecon_last" extended attribute Richard Haines
2016-08-26 16:56 ` Stephen Smalley
2016-09-22 17:09 ` Richard Haines
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).